Technical Tip: FortiGate Automation use Webhook send message to Slack

Description

This article describes how FortiGate uses the Automation function via webhook to send message to Slack channel and how to customize information written to the event log/syslog.

More information on the Webhook action: Webhook action

Solution

1. Create New Automation:
   

2. Give the new automation stitch a name:

 

3. Select a Trigger method

 

4. Select an Event

 

 

 

5. Select an Action:

 

6. Enter the Slack Channel Information

7. For the test, generate an 'Admin login failed' event:

 

 

 

 

 

FGT # diagnose debug app autod -1
Debug messages will be on for 30 minutes.

FGT # diagnose debug enable

FGT # auto_generate_generic_curl_request()-302: Generating generic automation CURL request for action (webhook2slack).
auto_generate_generic_curl_request()-350: Generic automation CURL request POST data for action (webhook2slack):
{"text": "This is for user - admin login failed as log reason - passwd_invalid, ui = ssh(10.48.48.131) log method - ssh from log srcip - 10.48.48.131 , msg - Administrator admin login failed from ssh(10.48.48.131) because of invalid password"}

auto_generate_generic_curl_request()-400: Generic automation CURL request Host header: hooks.slack.com
auto_generic_curl_request_close()-476: Generic CURL request response body from https://hooks.slack.com/services/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ok

Where does the HTTP body parameter come from:

 

 

See the FortiOS log reference: 

 

 

Some old version such as v6.0.5 may show an HTTP 400 error, upgrade to at least v6.2.2.